Google reveals more on how it’s upping Android security

Vulnerability reports play a big role in helping keep Android secure

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

In order to secure its mobileoperating systemAndroid, Google uses a multi-pronged approach that includes monthly security updates to patch vulnerabilities reported through its Vulnerability Rewards Program (VRP) as well as hardening measures to protect against undiscovered vulnerabilities.

All vulnerabilities submitted through VRP are analyzed by the company’s security engineers to determine the root cause of each vulnerability and its overall severity usingthese guidelines. At the same time though,Googlealso relies on internal and externalbug reportsto identify vulnerable components and reveal coding practices that commonly lead to errors.

Relying solely on vulnerability reports can be a problem though as security researchers often flock to areas where others have already found vulnerabilities or use readily-available tools that make it easier to find bugs. For this reason, internal Red Teams at Google analyze less scrutinized or more complex parts of Android so that its mitigation efforts are not biased only towards areas where bugs and vulnerabilities have been reported.

Additionally, continuous automatedfuzzersrun at-scale on both Androidvirtual machinesand physical devices to ensure that bugs can be found and fixed early in the development lifecycle. Vulnerabilities discovered this way area also analyzed for root cause and severity to inform mitigation deployment decisions.

Memory bugs

Of the critical and high severity vulnerabilities fixed in Android Security Bulletins in 2019,memory bugsaccounted for 59 percent of all vulnerabilities followed bypermission bypassflaws at 21 percent. To prevent memory bugs going forward though, Google is encouraging developers to move to memory-safeprogramming languagessuch as Java, Kotlin and Rust.

The Android Security and Privacy Team provided further insight on how it’s working to migrate to memory-safe languages in ablog post, saying:

“C and C++ do not provide memory safety the way that languages like Java, Kotlin, and Rust do. Given that the majority of security vulnerabilities reported to Android are memory safety issues, a two-pronged approach is applied: improving the safety of C/C++ while also encouraging the use of memory safe languages.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

With each new Android release, the Android Security and Privacy Team uses the data available to it to balance security improvements that benefit the entire ecosystem with performance and stability.

ViaZDNet

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’